Search in sources :

Example 41 with SQLExpr

use of com.alibaba.druid.sql.ast.SQLExpr in project druid by alibaba.

the class WallVisitorUtils method checkSchema.

private static boolean checkSchema(WallVisitor visitor, SQLExpr x) {
    final WallTopStatementContext topStatementContext = wallTopStatementContextLocal.get();
    if (topStatementContext != null && (topStatementContext.fromSysSchema || topStatementContext.fromSysTable)) {
        return true;
    }
    if (x instanceof SQLName) {
        String owner = ((SQLName) x).getSimpleName();
        owner = WallVisitorUtils.form(owner);
        if (isInTableSource(x) && !visitor.getProvider().checkDenySchema(owner)) {
            if (!isTopStatementWithTableSource(x) && !isFirstSelectTableSource(x) && !isFirstInSubQuery(x)) {
                SQLObject parent = x.getParent();
                while (parent != null && !(parent instanceof SQLStatement)) {
                    parent = parent.getParent();
                }
                boolean sameToTopSelectSchema = false;
                if (parent instanceof SQLSelectStatement) {
                    SQLSelectStatement selectStmt = (SQLSelectStatement) parent;
                    SQLSelectQuery query = selectStmt.getSelect().getQuery();
                    if (query instanceof SQLSelectQueryBlock) {
                        SQLSelectQueryBlock queryBlock = (SQLSelectQueryBlock) query;
                        SQLTableSource from = queryBlock.getFrom();
                        while (from instanceof SQLJoinTableSource) {
                            from = ((SQLJoinTableSource) from).getLeft();
                        }
                        if (from instanceof SQLExprTableSource) {
                            SQLExpr expr = ((SQLExprTableSource) from).getExpr();
                            if (expr instanceof SQLPropertyExpr) {
                                SQLExpr schemaExpr = ((SQLPropertyExpr) expr).getOwner();
                                if (schemaExpr instanceof SQLIdentifierExpr) {
                                    String schema = ((SQLIdentifierExpr) schemaExpr).getName();
                                    schema = form(schema);
                                    if (schema.equalsIgnoreCase(owner)) {
                                        sameToTopSelectSchema = true;
                                    }
                                }
                            }
                        }
                    }
                }
                if (!sameToTopSelectSchema) {
                    addViolation(visitor, ErrorCode.SCHEMA_DENY, "deny schema : " + owner, x);
                }
            } else {
                if (topStatementContext != null) {
                    topStatementContext.setFromSysSchema(Boolean.TRUE);
                    clearViolation(visitor);
                }
            }
            return true;
        }
        if (visitor.getConfig().isDenyObjects(owner)) {
            addViolation(visitor, ErrorCode.OBJECT_DENY, "deny object : " + owner, x);
            return true;
        }
    }
    // if (ownerExpr instanceof SQLPropertyExpr) {
    if (x instanceof SQLPropertyExpr) {
        return checkSchema(visitor, ((SQLPropertyExpr) x).getOwner());
    }
    return true;
}
Also used : SQLObject(com.alibaba.druid.sql.ast.SQLObject) SQLName(com.alibaba.druid.sql.ast.SQLName) SQLIdentifierExpr(com.alibaba.druid.sql.ast.expr.SQLIdentifierExpr) SQLPropertyExpr(com.alibaba.druid.sql.ast.expr.SQLPropertyExpr) SQLStatement(com.alibaba.druid.sql.ast.SQLStatement) SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)

Example 42 with SQLExpr

use of com.alibaba.druid.sql.ast.SQLExpr in project druid by alibaba.

the class WallVisitorUtils method checkDelete.

public static void checkDelete(WallVisitor visitor, SQLDeleteStatement x) {
    checkReadOnly(visitor, x.getTableSource());
    WallConfig config = visitor.getConfig();
    if (!config.isDeleteAllow()) {
        addViolation(visitor, ErrorCode.INSERT_NOT_ALLOW, "delete not allow", x);
        return;
    }
    boolean hasUsing = false;
    if (x instanceof MySqlDeleteStatement) {
        hasUsing = ((MySqlDeleteStatement) x).getUsing() != null;
    }
    boolean isJoinTableSource = x.getTableSource() instanceof SQLJoinTableSource;
    if (x.getWhere() == null && (!hasUsing) && !isJoinTableSource) {
        WallContext context = WallContext.current();
        if (context != null) {
            context.incrementDeleteNoneConditionWarnings();
        }
        if (config.isDeleteWhereNoneCheck()) {
            addViolation(visitor, ErrorCode.NONE_CONDITION, "delete none condition not allow", x);
            return;
        }
    }
    SQLExpr where = x.getWhere();
    if (where != null) {
        checkCondition(visitor, where);
        if (Boolean.TRUE == getConditionValue(visitor, where, config.isDeleteWhereAlwayTrueCheck())) {
            if (config.isDeleteWhereAlwayTrueCheck() && visitor.isSqlEndOfComment() && !isSimpleConstExpr(where)) {
                addViolation(visitor, ErrorCode.ALWAYS_TRUE, "delete alway true condition not allow", x);
            }
        }
    }
// checkConditionForMultiTenant(visitor, x.getWhere(), x);
}
Also used : MySqlDeleteStatement(com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlDeleteStatement) WallConfig(com.alibaba.druid.wall.WallConfig) SQLExpr(com.alibaba.druid.sql.ast.SQLExpr) WallContext(com.alibaba.druid.wall.WallContext)

Example 43 with SQLExpr

use of com.alibaba.druid.sql.ast.SQLExpr in project druid by alibaba.

the class WallVisitorUtils method checkJoinConditionForMultiTenant.

@Deprecated
public static void checkJoinConditionForMultiTenant(WallVisitor visitor, SQLJoinTableSource join, boolean checkLeft, StatementType statementType) {
    String tenantTablePattern = visitor.getConfig().getTenantTablePattern();
    if (tenantTablePattern == null || tenantTablePattern.length() == 0) {
        return;
    }
    SQLExpr condition = join.getCondition();
    SQLTableSource right = join.getRight();
    if (right instanceof SQLExprTableSource) {
        SQLExpr tableExpr = ((SQLExprTableSource) right).getExpr();
        if (tableExpr instanceof SQLIdentifierExpr) {
            String tableName = ((SQLIdentifierExpr) tableExpr).getName();
            if (ServletPathMatcher.getInstance().matches(tenantTablePattern, tableName)) {
                String alias = right.getAlias();
                if (alias == null) {
                    alias = tableName;
                }
                SQLBinaryOpExpr tenantCondition = createTenantCondition(visitor, alias, statementType, tableName);
                if (condition == null) {
                    condition = tenantCondition;
                } else {
                    condition = new SQLBinaryOpExpr(tenantCondition, SQLBinaryOperator.BooleanAnd, condition);
                }
            }
        }
    }
    if (condition != join.getCondition()) {
        join.setCondition(condition);
        visitor.setSqlModified(true);
    }
}
Also used : SQLIdentifierExpr(com.alibaba.druid.sql.ast.expr.SQLIdentifierExpr) SQLBinaryOpExpr(com.alibaba.druid.sql.ast.expr.SQLBinaryOpExpr) SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)

Example 44 with SQLExpr

use of com.alibaba.druid.sql.ast.SQLExpr in project druid by alibaba.

the class WallVisitorUtils method check.

public static void check(WallVisitor visitor, SQLSelectItem x) {
    SQLExpr expr = x.getExpr();
    if (expr instanceof SQLVariantRefExpr) {
        if (!isTopSelectItem(expr) && "@".equals(((SQLVariantRefExpr) expr).getName())) {
            addViolation(visitor, ErrorCode.EVIL_NAME, "@ not allow", x);
        }
    }
    if (visitor.getConfig().isSelectAllColumnAllow()) {
        return;
    }
    if (//
    expr instanceof SQLAllColumnExpr && x.getParent() instanceof SQLSelectQueryBlock) {
        SQLSelectQueryBlock queryBlock = (SQLSelectQueryBlock) x.getParent();
        SQLTableSource from = queryBlock.getFrom();
        if (from instanceof SQLExprTableSource) {
            addViolation(visitor, ErrorCode.SELECT_NOT_ALLOW, "'SELECT *' not allow", x);
        }
    }
}
Also used : SQLAllColumnExpr(com.alibaba.druid.sql.ast.expr.SQLAllColumnExpr) SQLVariantRefExpr(com.alibaba.druid.sql.ast.expr.SQLVariantRefExpr) SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)

Example 45 with SQLExpr

use of com.alibaba.druid.sql.ast.SQLExpr in project druid by alibaba.

the class WallVisitorUtils method partExpr.

public static List<SQLExpr> partExpr(List<SQLExpr> exprs) {
    List<SQLExpr> partList = new ArrayList<SQLExpr>();
    for (SQLExpr x : exprs) {
        if (x instanceof SQLBinaryOpExpr) {
            SQLBinaryOpExpr binary = (SQLBinaryOpExpr) x;
            if (binary.getOperator() == SQLBinaryOperator.BooleanAnd || binary.getOperator() == SQLBinaryOperator.BooleanOr) {
                partList.add(((SQLBinaryOpExpr) x).getLeft());
                partList.add(((SQLBinaryOpExpr) x).getRight());
                continue;
            }
        }
        partList.add(x);
    }
    return partList;
}
Also used : ArrayList(java.util.ArrayList) SQLBinaryOpExpr(com.alibaba.druid.sql.ast.expr.SQLBinaryOpExpr) SQLExpr(com.alibaba.druid.sql.ast.SQLExpr)

Aggregations

SQLExpr (com.alibaba.druid.sql.ast.SQLExpr)422 SQLBinaryOpExpr (com.alibaba.druid.sql.ast.expr.SQLBinaryOpExpr)71 SQLIdentifierExpr (com.alibaba.druid.sql.ast.expr.SQLIdentifierExpr)68 SQLName (com.alibaba.druid.sql.ast.SQLName)47 SQLIntegerExpr (com.alibaba.druid.sql.ast.expr.SQLIntegerExpr)33 SQLStatement (com.alibaba.druid.sql.ast.SQLStatement)32 SQLPropertyExpr (com.alibaba.druid.sql.ast.expr.SQLPropertyExpr)30 ArrayList (java.util.ArrayList)30 MySqlSelectQueryBlock (com.alibaba.druid.sql.dialect.mysql.ast.statement.MySqlSelectQueryBlock)28 SQLMethodInvokeExpr (com.alibaba.druid.sql.ast.expr.SQLMethodInvokeExpr)25 SQLSelectItem (com.alibaba.druid.sql.ast.statement.SQLSelectItem)25 ParserException (com.alibaba.druid.sql.parser.ParserException)25 SQLObject (com.alibaba.druid.sql.ast.SQLObject)24 MySqlStatementParser (com.alibaba.druid.sql.dialect.mysql.parser.MySqlStatementParser)23 SQLAggregateExpr (com.alibaba.druid.sql.ast.expr.SQLAggregateExpr)20 SQLOrderBy (com.alibaba.druid.sql.ast.SQLOrderBy)17 SQLSelectQuery (com.alibaba.druid.sql.ast.statement.SQLSelectQuery)16 SQLCharExpr (com.alibaba.druid.sql.ast.expr.SQLCharExpr)15 SQLVariantRefExpr (com.alibaba.druid.sql.ast.expr.SQLVariantRefExpr)15 SQLSelectQueryBlock (com.alibaba.druid.sql.ast.statement.SQLSelectQueryBlock)15